A major cybersecurity firm says it believes Beijing-backed hackers carried out cyberattacks on Israel while pretending to be operating from Israel’s archrival, Iran.
U.S. cybersecurity firm FireEye said on August 10 that a study it conducted in cooperation with the Israeli military found that “UNC215,” described by FireEye as a spy group suspected of being from China, had hacked into Israeli government networks after using remote desktop protocols (RDPs) to steal credentials from trusted third parties. RDPs enable a hacker to connect to a computer from afar and see the “desktop” of the remote device.
FireEye data, along with information shared by Israel’s defense agency, show that starting in January 2019, UNC215 carried out a number of concurrent attacks “against Israeli government institutions, IT providers, and telecommunications entities,” according to the report.
Mandiant: Chinese hackers masquerading as Iranians
FireEye’s report comes shortly after a July 19 joint statement by the U.S., the European Union and NATO accusing China of “a pattern of malicious cyber activity” aimed at entities ranging from foreign governments to private companies globally.
In 2019 and 2020, when hackers allegedly broke into the computers of the Israeli government and technology companies, investigators looked for clues to find those responsible for the cyberattacks. The initial evidence pointed directly to Iran, Israel’s geopolitical rival. Hackers used tools commonly associated with Iranians and wrote in Farsi.
But after further scrutiny of the evidence and the information gathered from other cyberespionage cases in the Middle East, the investigators realized that it was not an Iranian operation. Instead, the evidence suggested the attacks were carried out by Chinese agents posing as Iranian hackers.
John Holtquist, vice president of threat intelligence at FireEye, told VOA that Mandiant, a cybersecurity operation owned by FireEye, “attributes this campaign to Chinese espionage operators, which operate on behalf of the Chinese government.”
The tactics used by hackers include using a file path that contains the word “Iran,” according to the study. At the same time, the attackers made every effort to protect their true identity, minimizing the forensic evidence they had left on compromised computers and hiding the infrastructure they used to break into Israeli computers.
According to Holtquist, the deception efforts may appear to be effective; however, even if a single attack may be successfully misattributed, it becomes increasingly difficult to hide the hackers’ identities if multiple attacks are carried out.
Liu Pengyu, a spokesperson for the Chinese embassy in Washington, challenged the FireEye findings in an interview with the website Cyberscoop.
“Given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, it’s important to have enough evidence when investigating and identifying cyber-related incidents,” he said.
Chris Kubecka, chair of the cyber program at the Middle East Institute (MEI), a Washington-based research institute, suggested that FireEye’s conclusion that Beijing-backed hackers were responsible may have been too hasty.
“FireEye is not really in a position to prove attribution. That position is for governments after a proper investigation,” she said.
Kubecka, however, also pointed out that all too often, nation-state incidents make their attacks look like other countries or regimes through “code comment” language, appearing as a different country or using code from another piece of malware to divert blame. A “comment,” a term used in computer programming, is programmer-readable and makes the source code easier to understand for humans.
If confirmed, what are Beijing’s intentions?
Kubecka told VOA that if the Chinese government was responsible for the cyberattacks, it could be part of a long game of splitting the Middle East politically through infrastructure and trade deals. She said the Chinese government has shown an appetite for acquiring and copying technology, with the goal of benefiting Chinese businesses and ultimately the Chinese economy by reducing development costs.
During the administration of President Donald Trump, the U.S. accused Chinese companies and workers of stealing American technology and trade secrets. In 2019, the Chinese tech giant Huawei was charged by U.S. federal prosecutors with stealing trade secrets from U.S. company T-Mobile.
“Currently, most Middle East and especially GCC (Gulf Cooperation Council) countries don’t want to be pulled into the political game that has affected the USA and China. Posing as a well-known destabilizing country via cyberattacks could achieve long-term goals for the Chinese government in the region,” she said.
Denny Roy, a senior fellow at the Washington-based East-West Center research organization, told VOA that this is an indication of the depth of China’s commitment to cybertheft as part of China’s national development strategy: The top leadership blesses it despite the possibility of offending important trade or political partners, in this case, Israel.
“It suggests Chinese hubris — that Beijing thinks China’s economic importance to the world allows China to get away with almost anything. The more China aspires to be a global great power, the more it will encounter contradictory pressures in its foreign policy, such as trying to simultaneously portray itself as a friend to both Israel and Iran,” Roy added.
FireEye’s Holtquist argued that this cyber espionage activity is happening against the backdrop of China’s multibillion-dollar investment related to the Belt and Road Initiative and its interest in Israel’s technology sector.
According to FireEye’s report, “Chinese companies have invested billions of dollars into Israeli technology startups, partnering or acquiring companies in strategic industries like semi-conductors and artificial intelligence.” The report continued: “As China’s BRI (Belt and Road Initiative) moves westward, its most important construction projects in Israel are the railway between Eilat and Ashdod, a private port at Ashdod, and the port of Haifa.”
Richard Weitz, director of the Center for Political-Military Analysis with the Hudson Institute, a U.S.-based research group, told VOA that China is one of the few countries in the world that enjoys good relations with Israel, Iran and Saudi Arabia.
“These good relations should be able to survive intermittent incidents like the recent cyber hacking, but one variable beyond China’s control is the position of the United States. If Washington presses its partners like Israel to make choices, then China’s balance act may no longer prove viable,” he said.